diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc
index 018ec94c536e653..ea724ad835545d2 100644
--- a/src/crypto/crypto_context.cc
+++ b/src/crypto/crypto_context.cc
@@ -200,18 +200,14 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
 void ReadSystemStoreCertificates(
     std::vector<std::string>* system_root_certificates) {
 #ifdef _WIN32
-  const HCERTSTORE hStore = CertOpenSystemStoreW(0, L"ROOT");
-  CHECK_NE(hStore, nullptr);
-
-  auto cleanup =
-      OnScopeLeave([hStore]() { CHECK_EQ(CertCloseStore(hStore, 0), TRUE); });
+  CertStorePointer system_store;
 
   PCCERT_CONTEXT certificate_context_ptr = nullptr;
 
   std::vector<X509*> system_root_certificates_X509;
 
   while ((certificate_context_ptr = CertEnumCertificatesInStore(
-              hStore, certificate_context_ptr)) != nullptr) {
+              system_store.ref_, certificate_context_ptr)) != nullptr) {
     const DWORD certificate_buffer_size =
         CertGetNameStringW(certificate_context_ptr,
                            CERT_NAME_SIMPLE_DISPLAY_TYPE,
diff --git a/src/crypto/crypto_context.h b/src/crypto/crypto_context.h
index 4dfd0dfa032cf7e..2f437640ce0faea 100644
--- a/src/crypto/crypto_context.h
+++ b/src/crypto/crypto_context.h
@@ -9,12 +9,28 @@
 #include "memory_tracker.h"
 #include "v8.h"
 
+#ifdef _WIN32
+#ifndef _WIN32_WINNT
+#define _WIN32_WINNT 0x0400
+#endif
+#include <wincrypt.h>
+#include <windows.h>
+#endif
+
 namespace node {
 namespace crypto {
 // A maxVersion of 0 means "any", but OpenSSL may support TLS versions that
 // Node.js doesn't, so pin the max to what we do support.
 constexpr int kMaxSupportedVersion = TLS1_3_VERSION;
 
+#if _WIN32
+struct CertStorePointer {
+  const HCERTSTORE ref_;
+  CertStorePointer() : ref_(CertOpenSystemStoreW(0, L"ROOT")) {}
+  ~CertStorePointer() { CHECK_EQ(CertCloseStore(ref_, 0), TRUE); }
+};
+#endif
+
 void GetRootCertificates(
     const v8::FunctionCallbackInfo<v8::Value>& args);